The Pay System design fully supports the segregation of duties as outlined in the Financial Administration Act (FAA). The system edits in place enforce segregation of duties by user class, e.g. initiate (Section 32), verify (Section 34) and authorize (Section 33). There are automated controls in the Pay System that prevent the same users from creating and authorizing the same pay transaction. The Pay System is not designed to prevent the same user from creating (Section 32) and verifying (Section 34) the same transaction. However, since a high number of departments operate in a service delivery model that allows bulk authorizations, the Office of the Auditor General of Canada (OAG) has highlighted that this is an issue and exposes them to internal control weaknesses.
From a central operations perspective, this document suggests that departments implement internal processes to ensure that a departmental Security Access Control Officer (SACO) addresses this issue by not assigning users the ability to both create and verify the same transaction.